How to add Roles/Group to user based on their Google Groups (via Identity Provider)

I want to call out to Google to authenticate my users.
This parts works fine via adding an Identity Provider.

What I would like to do now is add the user to a group or add a role to that user based on the user groups that they are part of in Google.

I’m sure this should be achievable, but I can’t find the documentation to guide me.

Mappers are your friend.
In the data Keycloak gets from Google (most likely a token, with username, email, etc…) the roles and groups should be contained (if not, see how you add them on the Google side). Then, you can map the data from the Google-token to the Keycloak model and use claim-to-group mappers and similar.

Can you point me in the direction of documentation please.

Is this a mapper on the Identity Provider or on the Client?

Does this require release 17? I did see a PR in this area: KEYCLOAK-19283 Implemented new "Advanced claim to group" idp mapper by artur-baltabayev · Pull Request #8467 · keycloak/keycloak · GitHub

It’s a mapper of the IdP, has nothing to do with the client.
I don’t know this advanced mapper, I do group mapping with an Azure AD IdP with regular claim-to-group mapper since a few versions already, so, no need to use KC17, although you always should use the most recent version.

1 Like

I’ve spent another day on this and am no further forward.

I am coming to the conclusion that I am misunderstanding what KeyCloak does.

I can create an Identity provider…

But no where do I find any config allow me to get the groups back from Google, even if I pass over the Scope mentioned in their docs: Google API的OAuth 2.0範圍  |  Google Identity  |  Google Developers

All I get back is…

{
   "sub":"1111111111111",
   "name":"Jeff Porter",
   "given_name":"Jeff",
   "family_name":"Porter",
   "profile":"https://plus.google.com/1111111111",
   "picture":"https://lh3.googleusercontent.com/a/111111111-c",
   "email":"jporter@xxx.com",
   "email_verified":true,
   "locale":"en-GB",
   "hd":"xxxx.com"
}

If I did manage to get back the groups info, then I get stuck again, since I can find no way to add a User into a KeyCloak group or add a role based on anything in the token.

Is my only choice to use a SPI to call out to Google, get the Groups, and then have the SPI add the user to a group/role based on that response?

Is this my only option? Has this been done before?

did you find any way to do that ?